In recent years, Wireless Local Area Networks (Wireless LANs or WLANs) have experienced a wide spread; the reasons for this can be traced back to the advantages in terms of ease of installation and use of wireless connections, the decreasing cost of hardware equipment (both in respect of the mobile user terminals—like portable personal computers, laptops, palmtops, PDAs, smartphones and the like—and network access points), the good performances in terms of maximum bit-rate, comparable to that of wired data communications networks, and, differently from mobile telephony networks, the use of unlicensed radio bands.
Most WLAN deployments comply with the IEEE 802.11 standard, commonly called “Wi-Fi”, a short term for “Wireless Fidelity”. The IEEE 802.11 standard, available on the Internet for download at the URL: http://standards.ieee.org/getieee802/802.11.html (at the filing date of the present patent application), specifies the Medium Access Control (MAC) and physical (PHY) layers for devices capable of operation in the unlicensed Industrial, Scientific, and Medical (ISM) radio bands (2.4 GHz and 5 GHz).
Wireless communication technologies are mostly used to access packet-switched data networks, either public (like the Internet) or private (Value Added Service—VAS—networks). In this way, mobile users are allowed to access an enormous number of on-line services and applications made available by service providers. For example, data services and applications like e-mail, e-commerce, e-banking etc. are already, or are becoming accessible via mobile devices like PDAs, laptops, smartphones.
Complex security issues are however to be faced and solved, not to become an obstacle to the further spreading and success of wireless technology.
WLANs are as a matter of fact inherently less secure than conventional wired LANs, for the reason that they use radio as communication medium. In a wireless network it is hard to control the exact extension range of the network: transmitted data are broadcast over the air using radio waves. Because radio waves travel through the ceiling, floors and walls, the transmitted data may reach unintended recipients. Without setting up stringent security measures, installing a WLAN can be the equivalent of putting Ethernet ports everywhere. For example, in the case of a company's private WLAN, the radio signal can easily get over the boundary of the company site and an attacker, with a suitable antenna, can passively monitor (“sniff”, in jargon) network traffic without the need to access neither physically nor logically the network.
As with other networks, security for WLANs focuses on access control and privacy. Traditional implementation of WLAN security includes the use of static Wired Equivalent Privacy (WEP) keys and optional Media Access Control (MAC) authentication. This combination offers a certain level of access control and privacy, but it has been recognized that vulnerabilities exist in the IEEE 802.11 authentication and data privacy schemes. In particular, the WEP suffers from a serious flaw which makes it possible for an attacker to discover the WEP key by just sniffing a certain amount of Wi-Fi data traffic. Moreover, the WEP key provisioning is not dynamic, that is the key is manually configured on each user terminal intended to access the wireless network, and is stored in clear and only in a few case in the firmware of a smart card. These WEP weaknesses, together with the absence of authentication of management and control messages, contribute to make Wi-Fi networks deeply insecure.
To increase the wireless network security, the IEEE 802.11 standardization group has defined an amendment to the original IEEE 802.11 standard, called IEEE 802.11i and commercially known as Wi-Fi Protected Access (WPA), which establishes a new security standard for Wi-Fi networks. As known in the art, the IEEE 802.11i standard relies on a port-based network access-control mechanism established in another, independent standard, called IEEE 802.1X (IEEE standard for local and metropolitan area networks-port-based network exchange), for authentication and key distribution. This standard, applied to WLANs, is adapted to enable strong, mutual authentication between a client (a so-called “supplicant”) and an authentication server. In addition, the IEEE 802.1X can provide dynamic per-user, per-session keys that can be used to protect the data link layer, removing the administrative burden and security issues inherent in the use of static WEP keys.
The IEEE 802.1X authentication procedure is performed before the generic mobile terminal gets access to the wireless network. The network operator verifies the mobile terminal identity and, based on this check, the mobile terminal is granted the access to the network.
Once the mobile terminal has accessed the WLAN, the user thereof may for example surf on the Internet and get to the Web sites of on-line service providers providing on-line services. In order to enjoy the on-line services, the authentication performed with the wireless network operator for being granted access to the wireless network is generally not sufficient: in addition thereto, the user of the mobile terminal needs to authenticate to the service providers of which he/she intends to enjoy the on-line services; in other words, service providers ask the users to authenticate before they are granted access to the services they offer, no matter if they have already authenticated with the wireless network operator. Typically, the authentication mechanism and the credentials (hereinafter referred to as service access credentials) needed for authenticating to an on-line service provider are different and independent from those used for authenticating to the network operator.
From one hand, the independency of the authentication mechanism, particularly of the network access credentials used by the mobile terminal of the user for the network access from the service access credentials used for authenticating to the on-line application service provider satisfies a security requirement: should it not be like this, if an attacker compromises a mobile communication terminal, getting possession of the credentials used to perform the network access, it would be able to launch an attack against the on-line service provider as well, for example compromising the user electronic mail archive. Additionally, the use of service access credentials that are different from those of the access network is necessary for a flexible credential provisioning mechanism.
On the other hand, this may pose problems to the network operators and the on-line service providers, that have to provide credentials to their customers in a secure and efficient way; also, and this is everyday experience, the users should manage a growing number of different access credentials (usernames, passwords), with all the risks that this involve (lost or stolen passwords, impersonation, etc.).
Some solutions for provisioning of service access credentials are known in the art.
For example, in the 3GPP GBA (Generic Bootstrapping Architecture), defined in the 3GPP Technical Specifications (TSs) 33.220, 33.221, 33.222 downloadable (at the date of filing of the present patent application) from the URL www.3gpp.org, a framework is defined for application keys generation based on the 3G UMTS mobile network authentication protocol. GBA is based on a mobile terminal with an UICC (SIM) storing a secret key K, a NAF (Network Application Function) application server, i.e. a Web server or a generic data service server (the NAF and the mobile terminal do not share any secret to authenticate the terminal to the server), and a BSF (Bootstrapping Server Function) server located in the mobile operator network which knows the secret key K stored in mobile terminal UICC and that can authenticate the mobile terminal through an authentication mechanism based on the knowledge of the secret key K. Following the mobile terminal authentication, the BSF server communicates to the NAF server a secret key shared by the terminal which the mobile terminal can use to access NAF server.
The IETF (Internet Engineering Task Force) Extensible Application Protocol (EAP) key management (a draft of which is downloadable, at the filing date of the present patent application, from the URL http://tools.ietf.org/wg/eap/draft-ietf-eap-keying/draft-ietf-eap-keying-07.txt) provides a framework for generation, transport and usage of keying material generated by EAP authentication algorithms, known as “methods”. As described in the draft, an Extended Master Session Key (EMSK) is derived as part of the EAP authentication process, which EMSK is known only to the authentication server and the supplicant of the IEEE 802.1X framework. In the draft “EAP key management extensions” (downloadable at the filing date of the present application from the URL http://www.drizzle.con-d-aboba/EAP/draft-aboba-eapkeying-extns-OO.txt), extensions to the EAP key management framework are defined to enable the use of EAP in new applications. In that draft, Application-specific Master Session Keys (AMSKs) are defined as keys derived from the EMSK, which are shared by the supplicant and the authentication server.
U.S. Pat. No. 6,611,194 describes a method for inserting a service key in a terminal, and devices for implementing said method. A service key is inserted into a terminal and is used to enable the decryption of the received encrypted service data from a service center. The service center requests and obtains a coding key from a trust center when the service center receives a service key transmission request from the terminal. The service key transmission request includes a terminal identity number. The service center forwards the request to the trust center which returns the coding key associated with a decoding key corresponding to the specific terminal. The service center encrypts the service key with the coding key and transmits the service key to the terminal. The service key is decrypted in the terminal using the decoding key input to the terminal by the terminal manufacturer. The service data can correspondingly be decrypted for use by the terminal user. The terminal manufacturer transmits to the trust center a terminal identity number which enable the trust center to assign a decoding key to a terminal. The decoding key provided in the terminal by the terminal manufacturer is transmitted to the terminal manufacturer by a trust center. Dedicates service keys can be provided for each of the different services from a service center.
US 2004/0240671 discloses a method for remote loading of an encryption key in a telecommunication network station, which makes it possible to load in a SIM, for a wireless terminal, encryption keys of one or more applications remotely, in a secure manner. The loading of the keys is achieved by means of messages transmitted to the wireless terminal via SMS. To provide security of the transmission the message is encrypted by means of a so called “transportation” or “transmission key” which is created and recorded in the SIM card at the time of the personalization thereof by an operator. The key loading or change is initiated either by the user or by the service provider of the application, for example a bank for banking transactions. The loading step is preceded by a step consisting of detecting in the SIM the absence of a key or a requirement to update the said key. Where the loading of the transaction key is initiated by the application key server it detects the fact that in a transaction message coming from the wireless terminal the transaction key does not exist or is not longer appropriate for performing the transaction. The message which is analyzed is a cryptographic certificate or a request from the SIM. The analysis is performed by the application key server or by the server connected to the application key server such as a server of the associated application or a server of the service provider of the associated application. The invention of US 2004/0240671 proposes a solution to an additional technical problem which stems from the fact that the same application may be shared by different service providers, each requiring different transaction keys for using the application. The invention makes it possible to select the key corresponding to the service provider to which the transaction to be performed relates: it thus makes it possible, for one and the same application, to choose from amongst several possible keys those which correspond to a certain service provider at a given moment. The short message comprises an identity of a service provider corresponding to the transaction application in order to select the correct key to which the transaction relates.